n.protector virus
Napsal: 16 říj 2010 11:03
Dobry den,-
Chcel by som poziadat o pomoc pri odstraneni protector.n virusu vid.-
C:\WINDOWS\system32\drivers\cdrom.sys Win32/Protector.N virus unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe. - ess ho najde ale nedokaze odstranit.
Tu je vypis z Hjack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:06, on 16. 10. 2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TEMP\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zoznam.sk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Služba Google Update (gupdate1c98dfcb616aac5) (gupdate1c98dfcb616aac5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 3219 bytes
A tu aj combofix:
ComboFix 10-10-15.03 - VIERA KOVACOVA . 10. 2010 11:26:38.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.1535.1164 [GMT 2:00]
Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\VIERA KOVACOVA\RavMonLog
c:\program files\Internet Explorer\ws2help.dll
C:\text.txt
c:\windows\system32\DRIVERS\cdrom.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))
.
2010-10-16 09:33 . 2010-10-16 09:33 84800 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-10-16 08:41 . 2010-10-16 08:41 -------- d-----w- c:\program files\CCleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 23:22 . 2008-02-17 13:46 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-22 23:22 . 2008-02-17 13:46 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-22 23:22 . 2008-02-17 13:46 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-22 23:22 . 2008-02-17 13:46 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-22 23:22 . 2008-02-17 13:46 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"="ptipbm.dll" [2003-01-15 24576]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"mi-raysat_3dsmax9_32"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\3dsmax7\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\backburner 2\\manager.exe"=
"c:\\Program Files\\backburner 2\\monitor.exe"=
"c:\\Program Files\\backburner 2\\server.exe"=
"c:\\Hry\\Counter-Strike Source\\hl2.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16477:TCP"= 16477:TCP:*:Disabled:NortonAV
"12246:TCP"= 12246:TCP:*:Disabled:NortonAV
"12151:TCP"= 12151:TCP:BitComet 12151 TCP
"12151:UDP"= 12151:UDP:BitComet 12151 UDP
"12391:TCP"= 12391:TCP:*:Disabled:NortonAV
"17184:TCP"= 17184:TCP:NortonAV
"17178:TCP"= 17178:TCP:*:Disabled:NortonAV
"16642:TCP"= 16642:TCP:*:Disabled:NortonAV
R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [2. 7. 2003 18:41 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [2. 7. 2003 17:49 124160]
R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [27. 4. 2003 13:39 8704]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [18. 11. 2007 15:49 77312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [13. 3. 2008 17:49 472280]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [19. 7. 2009 19:04 222968]
S2 gupdate1c98dfcb616aac5;Služba Google Update (gupdate1c98dfcb616aac5);c:\program files\Google\Update\GoogleUpdate.exe [13. 2. 2009 19:01 133104]
S3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [27. 12. 2002 21:14 8384]
S3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [27. 12. 2002 21:14 98560]
S3 FlarionDTM;Flarion DTM Network Interface;c:\windows\system32\drivers\FlrnDTM.sys [24. 11. 2007 13:42 24706]
S3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [27. 4. 2003 12:43 99360]
S4 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8. 1. 2010 0:51 380928]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21. 3. 2008 15:36 691696]
.
Contents of the 'Scheduled Tasks' folder
2010-10-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-13 14:31]
2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 17:01]
2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 17:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zoznam.sk
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\8n4ivrqk.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\pdfforge Toolbar\FF\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\pdfforge Toolbar\SSFF\components\SearchSettingsFF.dll
.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x88EFA7B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> 0x88efa7b0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|˙˙˙˙"•€|ţ»Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-16 11:35:29
ComboFix-quarantined-files.txt 2010-10-16 09:35
Pre-Run: 11 249 852 416 bytes free
Post-Run: 33 adresárov, 11 210 809 344 voľných bajtov
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - DEBFCC91C3031E27757E1908AE8C842D
Vopred Dakujem za pomoc..
Chcel by som poziadat o pomoc pri odstraneni protector.n virusu vid.-
C:\WINDOWS\system32\drivers\cdrom.sys Win32/Protector.N virus unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe. - ess ho najde ale nedokaze odstranit.
Tu je vypis z Hjack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:06, on 16. 10. 2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TEMP\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zoznam.sk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Služba Google Update (gupdate1c98dfcb616aac5) (gupdate1c98dfcb616aac5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 3219 bytes
A tu aj combofix:
ComboFix 10-10-15.03 - VIERA KOVACOVA . 10. 2010 11:26:38.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.1535.1164 [GMT 2:00]
Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\VIERA KOVACOVA\RavMonLog
c:\program files\Internet Explorer\ws2help.dll
C:\text.txt
c:\windows\system32\DRIVERS\cdrom.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))
.
2010-10-16 09:33 . 2010-10-16 09:33 84800 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-10-16 08:41 . 2010-10-16 08:41 -------- d-----w- c:\program files\CCleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 23:22 . 2008-02-17 13:46 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-22 23:22 . 2008-02-17 13:46 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-22 23:22 . 2008-02-17 13:46 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-22 23:22 . 2008-02-17 13:46 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-22 23:22 . 2008-02-17 13:46 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"="ptipbm.dll" [2003-01-15 24576]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"mi-raysat_3dsmax9_32"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\3dsmax7\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\backburner 2\\manager.exe"=
"c:\\Program Files\\backburner 2\\monitor.exe"=
"c:\\Program Files\\backburner 2\\server.exe"=
"c:\\Hry\\Counter-Strike Source\\hl2.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16477:TCP"= 16477:TCP:*:Disabled:NortonAV
"12246:TCP"= 12246:TCP:*:Disabled:NortonAV
"12151:TCP"= 12151:TCP:BitComet 12151 TCP
"12151:UDP"= 12151:UDP:BitComet 12151 UDP
"12391:TCP"= 12391:TCP:*:Disabled:NortonAV
"17184:TCP"= 17184:TCP:NortonAV
"17178:TCP"= 17178:TCP:*:Disabled:NortonAV
"16642:TCP"= 16642:TCP:*:Disabled:NortonAV
R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [2. 7. 2003 18:41 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [2. 7. 2003 17:49 124160]
R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [27. 4. 2003 13:39 8704]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [18. 11. 2007 15:49 77312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [13. 3. 2008 17:49 472280]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [19. 7. 2009 19:04 222968]
S2 gupdate1c98dfcb616aac5;Služba Google Update (gupdate1c98dfcb616aac5);c:\program files\Google\Update\GoogleUpdate.exe [13. 2. 2009 19:01 133104]
S3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [27. 12. 2002 21:14 8384]
S3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [27. 12. 2002 21:14 98560]
S3 FlarionDTM;Flarion DTM Network Interface;c:\windows\system32\drivers\FlrnDTM.sys [24. 11. 2007 13:42 24706]
S3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [27. 4. 2003 12:43 99360]
S4 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8. 1. 2010 0:51 380928]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21. 3. 2008 15:36 691696]
.
Contents of the 'Scheduled Tasks' folder
2010-10-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-13 14:31]
2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 17:01]
2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 17:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zoznam.sk
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\8n4ivrqk.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\pdfforge Toolbar\FF\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\pdfforge Toolbar\SSFF\components\SearchSettingsFF.dll
.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x88EFA7B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> 0x88efa7b0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|˙˙˙˙"•€|ţ»Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-16 11:35:29
ComboFix-quarantined-files.txt 2010-10-16 09:35
Pre-Run: 11 249 852 416 bytes free
Post-Run: 33 adresárov, 11 210 809 344 voľných bajtov
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - DEBFCC91C3031E27757E1908AE8C842D
Vopred Dakujem za pomoc..
